Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logout is unauthorized except from auth.hail.is pages #14635

Closed
cjllanwarne opened this issue Jul 24, 2024 · 1 comment · Fixed by #14639
Closed

Logout is unauthorized except from auth.hail.is pages #14635

cjllanwarne opened this issue Jul 24, 2024 · 1 comment · Fixed by #14639
Assignees
@cjllanwarne
Labels
batch bug needs-triage A brand new issue that needs triaging. security

Comments

@cjllanwarne
Copy link
Collaborator

What happened?

Reproduction steps -

  • Log into batch.hail.is
  • Go to the batches page
  • Click Logout
  • Get "401: unauthorized" message page (but user is never actually logged out)
  • Go to auth.hail.is
  • Click logout
  • Logout succeeds

Expected:

  • Successful logout from any source page

Version

Batch - 0.2.132

Relevant log output

No response
@cjllanwarne cjllanwarne added needs-triage A brand new issue that needs triaging. bug batch security labels Jul 24, 2024
@cjllanwarne cjllanwarne mentioned this issue Jul 24, 2024
Merged
hail-ci-robot pushed a commit that referenced this issue Jul 24, 2024
@cjllanwarne
[Auth] Always select user during login prompt (#14636)
4cf6293 
Fixes #14634. Always prompt for which google account to use during
login. Avoids confusion over whether logout succeeded or not (especially
considering #14635)
@cjllanwarne
Copy link
Collaborator Author

cjllanwarne commented Jul 26, 2024
edited
Loading

This is caused by domain-by-domain CSRF tokens introduced in #14180. An unfortunate side effect is that the tokens available on non-auth pages are no longer able to validate requests to the auth/logout API.

Given the lack of apparent noise about this bug in our issues and zulip I suspect that this is not a common path for users, and that a fix along the lines of "require add one button click to go to the User page first before logging out is acceptable".

On the other hand, the risk of a user clicking on the broken Logout button and believing themselves to be logged out when seeing a 401: Unauthorized page (but actually still having logged-in state in their browser) raises this in my mind to a security bug rather than just a UX bug or an unfortunate user experience.

Therefore my proposal is:

  1. To fix the bug as soon as possible
  2. Accept an additional redirect in a user flow which is rarely exercised
  3. To make the smallest number of potentially risky changes to the underlying security architecture
  4. Therefore: Remove the broken "log out" link in page headers and replace with a Log out button on the auth[...]/users page which is guaranteed to have the correct CSRF token in state.

@cjllanwarne cjllanwarne mentioned this issue Jul 26, 2024
Merged
@cjllanwarne cjllanwarne self-assigned this Jul 26, 2024
hail-ci-robot pushed a commit that referenced this issue Aug 7, 2024
@cjllanwarne
[UI] Remove broken Log out; provide another option (#14639)
fca1b1a 
Fixes #14635. Logout is only possible from `auth` pages due to
per-subdomain CRSF tokens. Security/design thought process as documented
in a comment on the issue:
#14635 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cjllanwarne cjllanwarne

Labels
batch bug needs-triage A brand new issue that needs triaging. security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[UI] Remove broken Log out; provide another option cjllanwarne/hail
1 participant
@cjllanwarne